
	

114 S1806 IS: Security and Privacy in Your Car Act of 2015
U.S. Senate
2015-07-21
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		II
		114th CONGRESS1st Session
		S. 1806
		IN THE SENATE OF THE UNITED STATES
		
			July 21, 2015
			Mr. Markey (for himself and Mr. Blumenthal) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
		
		A BILL
		To protect consumers from security and privacy threats to their
			 motor vehicles, and for other purposes.
	
	
		1.Short title
 This Act may be cited as the Security and Privacy in Your Car Act of 2015 or the SPY Car Act of 2015.
		2.Cybersecurity standards for motor vehicles
 (a)In generalChapter 301 of title 49, United States Code, is amended— (1)in section 30102(a)—
 (A)by redesignating paragraphs (4) through (11) as paragraphs (10) through (17), respectively; (B)by redesignating paragraphs (1) through (3) as paragraphs (4) through (6), respectively;
 (C)by inserting before paragraph (3), as redesignated, the following:  (1)Administrator means the Administrator of the National Highway Traffic Safety Administration;
 (2)Commission means the Federal Trade Commission; (3)critical software systems means software systems that can affect the driver’s control of the vehicle movement;; and
 (D)by inserting after paragraph (6), as redesignated, the following:  (7)driving data include, but are not limited to, any electronic information collected about—
 (A)a vehicle’s status, including, but not limited to, its location or speed; and (B)any owner, lessee, driver, or passenger of a vehicle;
 (8)entry points include, but are not limited to, means by which— (A)driving data may be accessed, directly or indirectly; or
 (B)control signals may be sent or received either wirelessly or through wired connections;
 (9)hacking means the unauthorized access to electronic controls or driving data, either wirelessly or through wired connections;; and
 (2)by adding at the end the following:  30129.Cybersecurity standards (a)Cybersecurity standards (1)RequirementAll motor vehicles manufactured for sale in the United States on or after the date that is 2 years after the date on which final regulations are prescribed pursuant to section 2(b)(2) of the SPY Car Act of 2015 shall comply with the cybersecurity standards set forth in paragraphs (2) through (4).
								(2)Protection against hacking
 (A)In generalAll entry points to the electronic systems of each motor vehicle manufactured for sale in the United States shall be equipped with reasonable measures to protect against hacking attacks.
 (B)Isolation measuresThe measures referred to in subparagraph (A) shall incorporate isolation measures to separate critical software systems from noncritical software systems.
 (C)EvaluationThe measures referred to in subparagraphs (A) and (B) shall be evaluated for security vulnerabilities following best security practices, including appropriate applications of techniques such as penetration testing.
 (D)AdjustmentThe measures referred to in subparagraphs (A) and (B) shall be adjusted and updated based on the results of the evaluation described in subparagraph (C).
 (3)Security of collected informationAll driving data collected by the electronic systems that are built into motor vehicles shall be reasonably secured to prevent unauthorized access—
 (A)while such data are stored onboard the vehicle; (B)while such data are in transit from the vehicle to another location; and
 (C)in any subsequent offboard storage or use. (4)Detection, reporting, and responding to hackingAny motor vehicle that presents an entry point shall be equipped with capabilities to immediately detect, report, and stop attempts to intercept driving data or control the vehicle.
 (b)PenaltiesA person that violates this section is liable to the United States Government for a civil penalty of not more than $5,000 for each violation in accordance with section 30165.
							.
				(b)Rulemaking
 (1)In generalNot later than 18 months after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall issue a Notice of Proposed Rulemaking to carry out section 30129 of title 49, United States Code, as added by subsection (a).
 (2)Final regulationsNot later than 3 years after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall issue final regulations to carry out section 30129 of title 49, United States Code, as added by subsection (a).
 (3)UpdatesNot later than 3 years after final regulations are issued pursuant to paragraph (2) and not less frequently than once every 3 years thereafter, the Administrator, after consultation with the Commission, shall—
 (A)review the regulations issued pursuant to paragraph (2); and (B)update such regulations, as necessary.
 (c)Clerical amendmentThe table of sections for chapter 301 of title 49, United States Code, is amended by striking the item relating to section 30128 and inserting the following:
				30128. Vehicle rollover prevention and crash mitigation.
						30129. Cybersecurity standards..
 (d)Conforming amendmentSection 30165(a)(1) of title 49, United States Code, is amended by inserting 30129, after 30127,. 3.Cyber dashboard (a)In generalSection 32302 of title 49, United States Code, is amended by inserting after subsection (b) the following:
				
					(c)Cyber dashboard
 (1)In generalAll motor vehicles manufactured for sale in the United States on or after the date that is 2 years after the date on which final regulations are prescribed pursuant to section 3(b)(2) of the SPY Car Act of 2015 shall display a cyber dashboard, as a component of the label required to be affixed to each motor vehicle under section 32908(b).
 (2)FeaturesThe cyber dashboard required under paragraph (1) shall inform consumers, through an easy-to-understand, standardized graphic, about the extent to which the motor vehicle protects the cybersecurity and privacy of motor vehicle owners, lessees, drivers, and passengers beyond the minimum requirements set forth in section 30129 of this title and in section 27 of the Federal Trade Commission Act.
						.
			(b)Rulemaking
 (1)In generalNot later than 18 months after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall prescribe regulations for the cybersecurity and privacy information required to be displayed under section 32302(c) of title 49, United States Code, as added by subsection (a).
 (2)Final regulationsNot later than 3 years after the date of the enactment of this Act, the Administrator, after consultation with the Commission, shall issue final regulations to carry out section 32302 of title 49, United States Code, as added by subsection (a).
 (3)UpdatesNot less frequently than once every 3 years, the Administrator, after consultation with the Commission, shall—
 (A)review the regulations issued pursuant to paragraph (2); and (B)update such regulations, as necessary.
					4.Privacy standards for motor vehicles
 (a)In generalThe Federal Trade Commission Act (15 U.S.C. 41 et seq.) is amended by inserting after section 26 (15 U.S.C. 57c–2) the following:
				
					27.Privacy standards for motor vehicles
 (a)In generalAll motor vehicles manufactured for sale in the United States on or after the date that is 2 years after the date on which final regulations are prescribed pursuant to subsection (e) shall comply with the features required under subsections (b) through (d).
 (b)TransparencyEach motor vehicle shall provide clear and conspicuous notice, in clear and plain language, to the owners or lessees of such vehicle of the collection, transmission, retention, and use of driving data collected from such motor vehicle.
						(c)Consumer control
 (1)In generalSubject to paragraphs (2) and (3), owners or lessees of motor vehicles shall be given the option of terminating the collection and retention of driving data.
 (2)Access to navigation toolsIf a motor vehicle owner or lessee decides to terminate the collection and retention of driving data under paragraph (1), the owner or lessee shall not lose access to navigation tools or other features or capabilities, to the extent technically possible.
 (3)ExceptionParagraph (1) shall not apply to driving data stored as part of the electronic data recorder system or other safety systems on-board the motor vehicle that are required for post-incident investigations, emissions history checks, crash avoidance or mitigation, or other regulatory compliance programs.
							(d)Limitation on use of personal driving information
 (1)In generalA manufacturer (including an original equipment manufacturer) may not use any information collected by a motor vehicle for advertising or marketing purposes without affirmative express consent by the owner or lessee.
 (2)RequestsConsent requests under paragraph (1)— (A)shall be clear and conspicuous;
 (B)shall be made in clear and plain language; and (C)may not be a condition for the use of any nonmarketing feature, capability, or functionality of the motor vehicle.
								(e)Enforcement
 A violation of this section shall be treated as an unfair and deceptive act or practice in violation of a rule prescribed under section 18(a)(1)(B).
						.
			(b)Rulemaking
 (1)In generalNot later than 18 months after the date of the enactment of this Act, the Commission, after consultation with the Administrator of the National Highway Traffic Safety Administration (referred to in this subsection as the Administrator), shall prescribe regulations, in accordance with section 553 of title 5, United States Code, to carry out section 27 of the Federal Trade Commission Act, as added by subsection (a).
 (2)Final regulationsNot later than 3 years after the date of the enactment of this Act, the Commission, after consultation with the Administrator, shall issue final regulations, in accordance with section 553 of title 5, United States Code, to carry out section 27 of the Federal Trade Commission Act, as added by subsection (a).
 (3)UpdatesNot less frequently than once every 3 years, the Commission, after consultation with the Administrator, shall—
 (A)review the regulations prescribed pursuant to paragraph (2); and (B)update such regulations, as necessary.
					
